Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(@angular-devkit/build-angular): move browser-sync as optional dependency #26587

Merged
merged 1 commit into from
Dec 6, 2023
Merged

feat(@angular-devkit/build-angular): move browser-sync as optional dependency #26587

merged 1 commit into from
Dec 6, 2023

Conversation

alan-agius4
Copy link
Collaborator

browser-sync is now an optional dependency of @angular-devkit/build-angular. This package is only needed when using the legacy @angular-devkit/build-angular:ssr-dev-server builder.

Closes #26349

@alan-agius4 alan-agius4 added action: review The PR is still awaiting reviews from at least one requested reviewer target: minor This PR is targeted for the next minor release labels Dec 5, 2023
@angular-robot angular-robot bot added the detected: feature PR contains a feature commit label Dec 5, 2023
@alan-agius4 alan-agius4 force-pushed the browser-sync-optional branch 10 times, most recently from 91892db to 22492bd Compare December 6, 2023 11:53
@alan-agius4
feat(@angular-devkit/build-angular): move browser-sync as optional …
75bd83a 
…dependency

`browser-sync` is now an optional dependency of `@angular-devkit/build-angular`. This package is only needed when using the legacy `@angular-devkit/build-angular:ssr-dev-server` builder.

Closes angular#26349
@alan-agius4 alan-agius4 added action: merge The PR is ready for merge by the caretaker and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels Dec 6, 2023
@clydin clydin merged commit 364a16b into angular:main Dec 6, 2023
33 checks passed
@alan-agius4 alan-agius4 deleted the browser-sync-optional branch December 6, 2023 16:57
@jase88
Copy link

jase88 commented Dec 7, 2023

Will this also be fixed on v16-lts?

@alan-agius4
Copy link
Collaborator Author

This is only available for version 17.1.x

@von-maurus
Copy link

Hi, is this fixed right now? I'm with this version:

 _                      _                 ____ _     ___
/ \   _ __   __ _ _   _| | __ _ _ __     / ___| |   |_ _|

/ △ \ | '_ \ / | | | | |/ _ | '__| | | | | | |
/ ___ | | | | (| | || | | (| | | | || | | |
// __| ||_, |_,||_,|| _|||
|___/

Angular CLI: 17.0.6
Node: 20.10.0
Package Manager: npm 10.2.3
OS: darwin arm64

Angular: 17.0.6
... animations, cli, common, compiler, compiler-cli, core, forms
... platform-browser, platform-browser-dynamic, router

Package Version

@angular-devkit/architect 0.1700.6
@angular-devkit/build-angular 17.0.6
@angular-devkit/core 17.0.6
@angular-devkit/schematics 17.0.6
@schematics/angular 17.0.6
rxjs 7.8.1
typescript 5.2.2
zone.js 0.14.2

And still tells me this error:

npm audit report

axios 0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - GHSA-wf5p-g6vw-rhxx
fix available via npm audit fix --force
Will install @angular-devkit/build-angular@16.2.10, which is a breaking change
node_modules/localtunnel/node_modules/axios
localtunnel >=1.9.0
Depends on vulnerable versions of axios
node_modules/localtunnel
browser-sync >=2.24.0-rc1
Depends on vulnerable versions of localtunnel
node_modules/browser-sync
@angular-devkit/build-angular >=17.0.0-next.0
Depends on vulnerable versions of browser-sync
node_modules/@angular-devkit/build-angular

4 moderate severity vulnerabilities

@alfaproject
Copy link

@alan-agius4 any chance you can update to browser-sync v3 in the 17.0 branch, at least? It makes localtunnel optional

@dagerher
Copy link

@alan-agius4 Is it known if there is still much time left before the release of version 17.1.x?

@JeanMeche
Copy link
Member

@dagerher Release is expected mid of next week !

@lsmith77 lsmith77 mentioned this pull request Jan 10, 2024
Merged
@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Feb 10, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@clydin clydin clydin approved these changes

Assignees
No one assigned
Labels
action: merge The PR is ready for merge by the caretaker detected: feature PR contains a feature commit target: minor This PR is targeted for the next minor release
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

npm audit on a brand new v17 Angular CLI generated application returns vulnerabilities
7 participants
@alan-agius4 @jase88 @von-maurus @alfaproject @dagerher @JeanMeche @clydin